Local hotels debunk key-card ID theft risk

Ever check into a hotel and get one of those credit card-style electronic keys, and wondered – just how much information is really on there? Anything of a personal nature – about you?

Maybe not – in fact, it’s not likely at all. But an e-mail that has made the rounds among police, and now spread farther (as e-mails often do) might scare a lot of travelers, although local hotel officials insisted Friday that they never encode those keys with any personal data that might fall into the wrong hands when you check out – or if you lose the card.

In fact, the Pasadena, Calif., detective sergeant who issued the original warning after attending a presentation on identity theft has rolled back quite a bit, making clear that the DoubleTree chain mentioned in the original alert has changed its system in the past year to prevent such an occurrence.

The alert issued by Pasadena police Det. Sergeant Kathryn Jorge said Southern California law enforcement personnel had “recently discovered what type of information is embedded in the credit card-type hotel room keys used throughout the industry.”

A key from the DoubleTree chain, used at the presentation, reportedly was found to contain the customer’s name, partial home address, room number, check-in and check-out date – and also the guest’s credit card number and expiration date.

“When you turn them in to the front desk, your personal information is there for any employee to access by simply scanning the card in the hotel scanner,” Jorge wrote. “An employee can take a handful of cards home and using a scanning device, access the information onto a laptop computer and go shopping at your expense.”

“Simply put,” the sergeant added, “hotels do not erase these cards until an employee issues the card to the next hotel guest. It is usually kept in a drawer at the front desk with YOUR INFORMATION ON IT!!!”

Jorge advised hotel guests to “keep the cards or destroy them! NEVER leave them behind and NEVER turn them in to the front desk when you check out of a room. They will not charge you for the card.”

Detective says problem solved

In an update on the issue, after “overwhelming” response, Jorge said, “It is good to see that we are all thinking about the issue of personal and ultimately, national security.”

“The bottom line is that the hotel key used for the experiment is last year’s model,” she wrote. “The DoubleTree and many other big-name hotels responded to my e-mail with concern and assured me that technology updates have solved this problem.”

The detective explained, “In years past, existing software would prompt the user (employee) for information input. If the employee was unaware of hotel policy dictating that such information NOT be entered, it could have ended up on the card in error.”

“Since this subject came up, experiments on newer cards have failed to duplicate the problem,” Jorge wrote. “It appears that the problem is not as widespread as it used to be in the larger chain hotels. Keep in mind that not all hotels/motels are as progressive as the larger chains and employees, being human, make mistakes.”

“We in law enforcement will continue to monitor these types of information systems for glitches,” Jorge added, thanking those who responded and concluding, “(I) encourage you to keep your personal information safe.”

No such information is available on key cards at the Marriott Fairfield Inn & Suites on Hill Street, north of downtown, said Ron Reynolds, assistant manager of the 80-room facility that opened seven months ago.

“We don’t even get the whole credit card coming up on our terminal – only the last four numbers,” Reynolds said Friday.

Reynolds was surprised by the Southern California report, but Donnis Shirley, co-manager with husband Mike at Bend’s Shilo Inn, was practically incredulous that such a thing was even possible.

“Oh gosh, that’s unbelievable! I’ve never heard of anything of the sort,” said Shirley. She noted that the local Shilo soon will be switching from traditional hotel keys to the electronic card locks, part of a chain-wide changeover now under way. But she insisted that what was reported in Pasadena would be impossible with the “very successful system” the hotel is moving to.

“That’s absurd – I don’t even know how you could do it,” she said. “I don’t know anybody’s hotel that does that. There will be no credit card or other information put on the cards. It doesn’t even make sense.”

Cash Smith, manager of downtown Bend’s Phoenix Inn Suites, also found it hard to fathom the very notion of electronic key cards chock full of personal data.

“Oh my gosh, that is unbelievable!” he said. “Wow. I’ve never heard of that. That kind of scares me.”

Smith said the cards at his establishment are “just linked to one room,” with only one bit of information encoded: “the length of stay for the customer. Basically, the only thing on that card is, `This is good for this many days.’ But it doesn’t link with our computer or anything” with guest data in it.

And while the cards are reused, Smith said, “Once a new key is dipped in that door, it won’t allow that old key” to work any more, as a security precaution.